We
are trying to use a Cisco WLC and our freeradius. We've been using this
same freeradius for authenticating users against the corporate LDAP.
Now we want WLC to talk to the radius server without losing any
functionality like user authentication or vlan assignment.
Our main
problem is that the vlan assingment is not working when we use the WLC.
The scenario with the APs talking to the radius directly works fine, but
when we use lightweight AP and the WLC we can see that the vlan
assignment part is skipped by the authentication process and all the
users are sent to the same vlan.
The
following is the output of the two cases. One of them is a user
authenticating without WLC, the AP talks directly to the Radius Server,
and the other is an authentication where WLC talks to the Radius Server (the one that is not working)
- 10.32.2.81 is the WLC IP address.
- 10.32.2.39 is the AP IP address.
WLC Soft Version: 7.0.116.0
These are the outputs:
1) AP - RADIUS (No WLC)
*****************************************************
rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205, length=184 User-Name = "fcanales" Framed-MTU = 1400 Called-Station-Id = "001d.4551.7da0" Calling-Station-Id = "5894.6b0d.e86c"
Service-Type = Login-User Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4 EAP-Message = 0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712
NAS-Port-Type = Wireless-802.11 NAS-Port = 59460 State = 0xf4160a33f11e13898255a02243c509d6 NAS-IP-Address = 10.32.2.39 NAS-Identifier = "ap-Reco32" +- entering group authorize {...}
++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "fcanales", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop
[eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap
[eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes.
[peap] Identity - fcanales [peap] Got tunneled request EAP-Message = 0x0208000d016663616e616c6573 server { PEAP: Got tunneled identity of fcanales PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to fcanales Sending tunneled request EAP-Message = 0x0208000d016663616e616c6573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "fcanales" Framed-MTU = 1400
Called-Station-Id = "001d.4551.7da0" Calling-Station-Id = "5894.6b0d.e86c" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 59460
NAS-IP-Address = 10.32.2.39 NAS-Identifier = "ap-Reco32" server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++? if (!Huntgroup-Name) ? Evaluating !(Huntgroup-Name) -> FALSE
++? if (!Huntgroup-Name) -> FALSE ++? if (Huntgroup-Name == "list") ? Evaluating (Huntgroup-Name == "list") -> TRUE ++? if (Huntgroup-Name == "list") -> TRUE ++- entering if (Huntgroup-Name == "list") {...}
+++? if (Ldap-Group == "WIFI-Direccion") rlm_ldap: Entering ldap_groupcmp() expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar expand: (uid=%u) -> (uid=fcanales) rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales) rlm_ldap: ldap_release_conn: Release Id: 0 WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a member. +++? if (Ldap-Group == "WIFI-MKTyCC") rlm_ldap: Entering ldap_groupcmp() expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a member. +++? if (Ldap-Group == "WIFI-TyO") rlm_ldap: Entering ldap_groupcmp()
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO rlm_ldap: ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE +++? if (Ldap-Group == "WIFI-TyO") -> TRUE
+++- entering if (Ldap-Group == "WIFI-TyO") {...} ++++[reply] returns ok +++- if (Ldap-Group == "WIFI-TyO") returns ok +++? if (Ldap-Group == "WIFI-ITfuncional") rlm_ldap: Entering ldap_groupcmp()
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a member. ++- if (Huntgroup-Name == "list") returns ok ++[chap] returns noop
++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "fcanales", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop
[eap] EAP packet type response id 8 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for fcanales
[ldap] expand: (uid=%u) -> (uid=fcanales) [ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales)
[ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x3441313536383141373845384430414446424135364139373343343736374646 rlm_ldap: sambaLmPassword -> LM-Password == 0x4446323634314431373041414432333739433530313441453437313841374545
[ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user fcanales authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "212"
EAP-Message = 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x158baf111582b5a1fb3a126781117cd4 [peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "212" EAP-Message = 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x158baf111582b5a1fb3a126781117cd4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 205 to 10.32.2.39 port 1645
EAP-Message = 0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932 Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf4160a33f21f13898255a02243c509d6 Finished request 38.